Palo Alto PCNSA – Chapter 11 – Monitoring and Reporting part 3
- 11.5 Syslog
This video we are covering Pcnsa 210 and this is our chapter eleven, monitoring and reporting. Now this is the fifth video of chapter eleven, which is 11. 5 syslog syslog. Most likely you are familiar with the syslog and what is needed for and so on. We get syslog messages every time we do something on the device. We’re going to get a syslog message. But instead of seeing the syslog message messages on each individual device, it’s better than to group them into a server. So syslog, it is a standard for log transport and enables the aggregation of log data from many network devices from bruters, firewalls, even printers, and send them to central Repository Server for archiving them analysis and reporting.
So Palo Alto Network Firewalls can then send the systog messages to external systock servers and they can be a fully fledged server with a systock feature installed on it. Or it could just be a normal client machine with a syslog application installed in it. And that’s what I would be using. Actually I’m going to be using so if I show you, I’m going to be using syslog server on this Windows Seven. I have a KV syslog server console here installed and I will demonstrate for you syslog here, but it could be sent on the fully fledged server with lots of terabytes in there and so on, or it could be sent to system information and event managers and systock again aggregate and correlates systock messages from many sources.
Now syslog can be transported as a best effort delivery on protocol UDP five one four or reliable protocol TCP five one four. Now if this clear text and you’re not very sure for it because maybe you are transporting some important and unconfidential systock messages, then you might want to use SSL with authentication that will be encrypted format. And if you use an SSL which I’ll show you, it will be six 5114. Well, I don’t have a server to show you the SSL but what certificates you need and so on. Okay, so I’m going to go to my firewall and I’m going to enable the syslog messages of syslog on my firewall because we are the client and no, I don’t want to update the KV, so I’m going to cancel this and go to the firewall.
In the end of the day, we are the client and this machine here is going to be our servers. This is what we’re going to send the messages to. So as a client we need to go to actually configure the syslog. So we need to go to device and create a syslog server profile which is just go bit down here we see several profiles and we see a syslog. So I’m going to create a new syslog server profile called just say Astrid syslog and Server. Now the names I use Astrid. But obviously in production you’ll use something in the morning that makes sense and I’m going to add my servers. I’m going to add two. I’m going to add one as a clear or best effort delivery, which is my Windows seven, another one as SSL, which is another Windows 2016 server. Okay? So here I’m going to call it Wind Seven.
And the IP address for this is one nine two. This is what you’re actually going to test, 192-16-8120. And as you can see the transport, we can either send it as UDP port five one four, TCP same port five one four, or it could be SSL, which is 6514, right? These are the standard port. You can obviously change them if you use a nonstandard port. So UDP five. One four. And there’s two formats. We can either send it as a BSD or IETF. Now BSD is the default and you don’t need to know for the exam the difference between them too. Log Facility. We can send them Log user or whatever facility. If you say to Log user, then send in all the messages. We can even change the format of the Syslog messages.
Now, if you go in a bit further to how what they appear, for example, do you want to see the date? Do you want to see the sequence number? And so on. If you want to change that, you can do that here. I’m not going to change it. Just go back to the server and I’m going to create a new one.And this time I’m going to put it for Windows 2016. So just put server 2016 as a name. And the IP address here is 1921-6812. And for this I’m going to use SSL. Now I don’t have this server. I’m just going to demonstrate what certificates you need for this. Okay, so there we go. We have two servers. We have one clear text, UDP best effort delivery, and one SSL encryption with authentication.
Now because we have an encryption with authentication, we have to create a certificate for it. But that certificate has to be signed by a CA, right? So I need to create two certificates because I don’t have a CA. So if you got the device certificate management certificates. So first we’re going to generate a certificate authority, right? So it’s going to be CA Cert, and the IP address is going to be 192168 of this router of sorry, firewall. And this is going to be not signed by external authority, it’s just going to be self signed CA, right? And I press F eleven just to see everything. And I’ll generate this and then I’ll have to go and generate another certificate and that’s going to be used by Syslog. So generate and that’s going to be signed by this CA.
So I’m going to just call it here as a name, syslog Cert, and in the common name, I’m just going to use the same name, certificate name. And this is going to be signed by CA and that’s it generated. And then I have to go and edit this certificate, tell them that it’s a syslog server certificate. So certificate for syslog, secure syslog here and then the key of the certificate or CA has to be on the public key has to be trusted by the server. So this will work. Okay, that’s configuration of syslog profiles and the certificates they’re going to need for this SSL. Now the next thing that we need to do, we actually have to enable forwarding and then we apply that forwarding to security policy.
So to enable the forwarding or log forwarding I have to go to objects and in the object if you scroll little bit down I have a log forward in here and I’m going to create a brand new one. So I’m going to say just call it Astrid log forwarding forwarding and obviously in production, better name, better description. I’m going to add this and again just say here as log forwarding and again description and what sort of traffic I want to log type. I can send them as just normal traffic, maybe I can send threats and so on. I’m just going to keep it as a traffic. You can build a filter using a filter builder, different what you want to send or you can send all logs and we learned on the previous lesson that we can send them in panorama SNMP email, but this time it’s just going to be for syslog.
So I’m going to add it here and that’s my server that I’ve created. So asterisk syslog server and click OK, now that’s my forwarding. And then I have to apply this log forwarding to one of my policies. So if I go to policy, go to into out and open that policy and under the action I have to put log forward in, add the log forward in I just created it, that’s it. And then once we committed, once we go back here we should see some logs coming out and so on. Okay, so I’m going to commit this and then we go back and see it on the client machine. Okay, now the commit has completed successfully, we can go to our client machine and we should really start seeing some log messages here, coming up. Okay, so we just got one log message already from our firewall.
So firewall a lab local, but you can see the log messages now they’re going to start coming up or coming into this. It’s going to be repository for log messages for that firewall. And what we need to do, we need to go to each firewall and configure what we just did on this firewall. So configure the syslog server profile. Like here we have Windows 2000, this IP address and then we configure the log forwarding here and then we apply it on the policy, we can apply it and as messages come from firewall they start being populated here. So in anything to do going that way from inside to outside zone that’s going to be applied or log messages we’re going to see. Okay.
- 11.6 Configuring SNMP
In this video we are covering Pcnsa 210 and this is our chapter Eleven, Monitoring and Reporting. Now, this is the 6th video of chapter eleven, which is 11. 6 configuring SNMP or Simple Network Management Protocol. Now for this video, I’m going to go straight to my Firewall and demonstrate how to configure SNMP for yourself. Now, for some of you who are not familiar with SNMP, we need to know some of the components. So simple network management protocol. And we have SNMP manager, right? Manager. And that’s where we’re going to collect our SNMP messages. So either the Firewall or it could be the router or whatever devices, the SNMP capable device.
We can manage those devices from the manager. And this is called a managed managed node, right? Just some previous information about SNMP. So we have SNMP manager and managed node. So SNP manager manages the managed node. In this managed node we have an agent running, right? So we have an agent here, it’s going to be run on the node and that agent is going to build a management information base. MIB right? So for example, the status of some interfaces, the status of routine, the status of zones, anything is going to build this management information base and the manager is going to communicate with the agent about this management information base.
So for example, if the manager wants to see the status of some interface is going to send SNMP message and that is Get. So we have a Get message. So for example, get me the status of certain interface and then the agent is going to send that message. The manager can turn around and say maybe the interface is down, the manager can send the message, say, okay, set up or turn the interface up. So for example, get me the status so that’s the read information and set is the right information. So we have a read and write access. So you can have either maybe Get, but you can’t set anything that’s just read. If you have Get and Set, you have read and write. Okay, that’s good. Now we have another thing, another message.
So Get, that’s the first message you should know set. And we have another message called Trap. Now Trap, it’s unsolicited message that comes from the manager. Okay, let me just clear some of the stuff here so I can see it nicely. Get rid of all this. Okay? So now I’ll explain what is trap? Trap, for example, if the interface goes down and the agent thinks oh, that’s really bad, it can send a Trap message, that’s unsolicited message to the SNMP manager saying oh, this is what happened, this event happened and so on. Okay? So if we have for example, SNMP manager that showed you that it’s not on the management network, right, we need to enable the SNMP manager. If I go to device then so device setup and then under the interfaces we have the management and we have to enable SNMP here.
Okay? Once we’ve done that, click okay. And then again we have to go to device setup operations and we set the SNMP here. So SNMP setup is happening under the operations and we have two protocols. Well, that was three, that was version one, two and three. Version two has common password for read common password for well, it’s a string. It’s called a string and for right. And it means that if me, I’m the administrator and you are the administrator, we have to know the same password and there is no, for example, we can’t tell who did what. Maybe we did something wrong. We can’t tell because we have the common. So we have a community string in version three.
None of that, get rid of that. And we have, for example, username, we have a password, we have encryption, we have integrity there, which is not happening in version two. Version two is just a password protected.So if your device does support version three, we really should not be using version two. In version three, for example, you just have to physical location, I’m just going to call it London doesn’t really matter contact. So you have to put like the address where is whatever the physical location of the device flow one and the whole address and then contact maybe the name who is, and then the phone number and so on, right? I’m not going to give you my phone number.
Okay. So to configure version three, first we configure the view and then we configure the users. So if I add the view and I’m just going to call it here, view all and here with SNMP, for example, everything is a string. So for example, they start 13619. So something has to be like decrypting all these dots, all these numbers. Anyway, if you want to give access to see everything for that user, you need to add a view. And this view I’m going to say view all and object ID. If I just put the object ID as 1361 and in the mask if I use, for example, zero XF zero, that will give everything on the view and then obviously I can use it include or exclude as the option. So I can exclude everything or I can include everything, right? That’s what we do.
And I click okay here and then under the user, for example, I say strict can have you all. So seeing everything. And if you want to, for example, have access to only the interface and so on, you have to look at the object ID and put the end of the view there. Authentication password. We put the password here, say Palo Alto and privileged password again, we put the same password, but you would obviously put the different passwords here. So I’ll use just for training here, palo Alto and click OK, so here I made a mistake. It’s not zero CF zero it’s actually if I go back into that view, zero, XF, zero and click okay again. And that’s great. Now we’re not getting any errors. So like I said to you, we have a version two SNMP version two and we have a SNMP version three. Version two uses community string and everybody has to know the same string.
And version three we have a username, passwords, integrity, authentication, confidentiality, everything is in there and that’s it. I don’t have an SNMP server to actually go and test this. So this is configured. Now we have a configuration for SNMP manager talking to SNP managed node and this is the information it’s going to use. So me as a user, I have access to get messages and I have access to set messages. So read and write. Okay, now I’m going to show you how to configure the SNMP traps where the managed node is going to send unsolicited messages to manager. If something drastic happens or something like that, we have to stay on the same place we go to device. And if you scroll little bit down, we have SNMP profiles, sorry, server profiles and SNMP traps. And I’m going to add a new SNMP trap. So I’m going to call it SNMP trap.
Okay. And like before we have version two and version three. So version one is not even supported. Version two is used in the community string, so we don’t want it. Encryption, authenticity, integrity is all there with version three, username and password. Okay, so these traps are going to be sent. Let’s just call this Me and SNMP manager is the IP address. Where is your SNMP manager? So 200 for example, user is me. So user for example, and then the authentication password. So this user has to be on the manager. Yeah. So say Palo Alto, obviously use stricter passwords and privileged password is going to be as well. Palo Alto. That’s it. Then click OK. Now when there’s a trap, when there’s something drastically crazy happening on the device, the SNMP will send, the client will send the trap without asking for it.